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         IPv6 Router Advertisement Option for DNS Configuration

Status of This Memo

   This memo defines an Experimental Protocol for the Internet
   community.  It does not specify an Internet standard of any kind.
   Discussion and suggestions for improvement are requested.
   Distribution of this memo is unlimited.

Abstract

   This document specifies a new IPv6 Router Advertisement option to
   allow IPv6 routers to advertise DNS recursive server addresses to
   IPv6 hosts.
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1.  Introduction

   Neighbor Discovery (ND) for IP Version 6 and IPv6 Stateless Address
   Autoconfiguration provide ways to configure either fixed or mobile
   nodes with one or more IPv6 addresses, default routers and some other
   parameters [2][3].  To support the access to additional services in
   the Internet that are identified by a DNS name, such as a web server,
   the configuration of at least one recursive DNS server is also needed
   for DNS name resolution.

   It is infeasible for nomadic hosts, such as laptops, to be configured
   manually with a DNS resolver each time they connect to a different
   wireless LAN (WLAN) such as IEEE 802.11 a/b/g [12]-[15].  Normally,
   DHCP [6]-[8] is used to locate such resolvers.  This document
   provides an alternate, experimental mechanism which uses a new IPv6
   Router Advertisement (RA) option to allow IPv6 routers to advertise
   DNS recursive server addresses to IPv6 hosts.

1.1.  Applicability Statements

   The only standards-track DNS configuration mechanism in the IETF is
   DHCP, and its support in hosts and routers is necessary for reasons
   of interoperability.

   RA-based DNS configuration is a useful, optional alternative in
   networks where an IPv6 host's address is autoconfigured through IPv6
   stateless address autoconfiguration, and where the delays in
   acquiring server addresses and communicating with the servers are
   critical.  RA-based DNS configuration allows the host to acquire the
   nearest server addresses on every link.  Furthermore, it learns these
   addresses from the same RA message that provides configuration
   information for the link, thereby avoiding an additional protocol
   run.  This can be beneficial in some mobile environments, such as
   with Mobile IPv6 [10].

   The advantages and disadvantages of the RA-based approach are
   discussed in [9] along with other approaches, such as the DHCP and
   well-known anycast addresses approaches.

1.2.  Coexistence of RDNSS Option and DHCP Option

   The RDNSS (Recursive DNS Server) option and DHCP option can be used
   together [9].  To order the RA and DHCP approaches, the O (Other
   stateful configuration) flag can be used in the RA message [2].  If
   no RDNSS option is included in the RA messages, an IPv6 host may
   perform DNS configuration through DHCPv6 [6]-[8] regardless of
   whether the O flag is set or not.
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2.  Definitions

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in [1].

3.  Terminology

   This document uses the terminology described in [2] and [3].  In
   addition, four new terms are defined below:

   o  Recursive DNS Server (RDNSS): Server which provides a recursive
      DNS resolution service for translating domain names into IP
      addresses as defined in [4] and [5].

   o  RDNSS Option: IPv6 RA option to deliver the RDNSS information to
      IPv6 hosts [2].

   o  DNS Server List: A data structure for managing DNS Server
      Information in the IPv6 protocol stack in addition to the Neighbor
      Cache and Destination Cache for Neighbor Discovery [2].

   o  Resolver Repository: Configuration repository with RDNSS addresses
      that a DNS resolver on the host uses for DNS name resolution; for
      example, the Unix resolver file (i.e., /etc/resolv.conf) and
      Windows registry.

4.  Overview

   This document defines a new ND option called RDNSS option that
   contains the addresses of recursive DNS servers.  Existing ND
   transport mechanisms (i.e., advertisements and solicitations) are
   used.  This works in the same way that hosts learn about routers and
   prefixes.  An IPv6 host can configure the IPv6 addresses of one or
   more RDNSSes via RA messages periodically sent by a router or
   solicited by a Router Solicitation (RS).

   Through the RDNSS option, along with the prefix information option
   based on the ND protocol ([2] and [3]), an IPv6 host can perform
   network configuration of its IPv6 address and RDNSS simultaneously
   without needing a separate message exchange for the RDNSS
   information.  The RA option for RDNSS can be used on any network that
   supports the use of ND.

   This approach requires RDNSS information to be configured in the
   routers sending the advertisements.  The configuration of RDNSS
   addresses in the routers can be done by manual configuration.  The
   automatic configuration or redistribution of RDNSS information is
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   possible by running a DHCPv6 client on the router [6]-[8].  The
   automatic configuration of RDNSS addresses in routers is out of scope
   for this document.

5.  Neighbor Discovery Extension

   The IPv6 DNS configuration mechanism in this document needs a new ND
   option in Neighbor Discovery: the Recursive DNS Server (RDNSS)
   option.

5.1.  Recursive DNS Server Option

   The RDNSS option contains one or more IPv6 addresses of recursive DNS
   servers.  All of the addresses share the same lifetime value.  If it
   is desirable to have different lifetime values, multiple RDNSS
   options can be used.  Figure 1 shows the format of the RDNSS option.

      0                   1                   2                   3
      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |     Type      |     Length    |           Reserved            |
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |                           Lifetime                            |
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |                                                               |
     :            Addresses of IPv6 Recursive DNS Servers            :
     |                                                               |
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

           Figure 1: Recursive DNS Server (RDNSS) Option Format

   Fields:

     Type          8-bit identifier of the RDNSS option type as assigned
                   by the IANA: 25

     Length        8-bit unsigned integer.  The length of the option
                   (including the Type and Length fields) is in units of
                   8 octets.  The minimum value is 3 if one IPv6 address
                   is contained in the option.  Every additional RDNSS
                   address increases the length by 2.  The Length field
                   is used by the receiver to determine the number of
                   IPv6 addresses in the option.
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     Lifetime      32-bit unsigned integer.  The maximum time, in
                   seconds (relative to the time the packet is sent),
                   over which this RDNSS address MAY be used for name
                   resolution.  Hosts MAY send a Router Solicitation to
                   ensure the RDNSS information is fresh before the
                   interval expires.  In order to provide fixed hosts
                   with stable DNS service and allow mobile hosts to
                   prefer local RDNSSes to remote RDNSSes, the value of
                   Lifetime should be at least as long as the Maximum RA
                   Interval (MaxRtrAdvInterval) in RFC 4861, and be at
                   most as long as two times MaxRtrAdvInterval; Lifetime
                   SHOULD be bounded as follows:  MaxRtrAdvInterval <=
                   Lifetime <= 2*MaxRtrAdvInterval.  A value of all one
                   bits (0xffffffff) represents infinity.  A value of
                   zero means that the RDNSS address MUST no longer be
                   used.

     Addresses of IPv6 Recursive DNS Servers
                   One or more 128-bit IPv6 addresses of the recursive
                   DNS servers.  The number of addresses is determined
                   by the Length field.  That is, the number of
                   addresses is equal to (Length - 1) / 2.

5.2.  Procedure of DNS Configuration

   The procedure of DNS configuration through the RDNSS option is the
   same as with any other ND option [2].

5.2.1.  Procedure in IPv6 Host

   When an IPv6 host receives an RDNSS option through RA, it checks
   whether the option is valid.

   o  If the RDNSS option is valid, the host SHOULD copy the option's
      value into the DNS Server List and the Resolver Repository as long
      as the value of the Length field is greater than or equal to the
      minimum value (3).  The host MAY ignore additional RDNSS addresses
      within an RDNSS option and/or additional RDNSS options within an
      RA when it has gathered a sufficient number of RDNSS addresses.

   o  If the RDNSS option is invalid (e.g., the Length field has a value
      less than 3), the host SHOULD discard the option.
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6.  Implementation Considerations

   Note:  This non-normative section gives some hints for implementing
      the processing of the RDNSS option in an IPv6 host.

   For the configuration and management of RDNSS information, the
   advertised RDNSS addresses can be stored and managed in both the DNS
   Server List and the Resolver Repository.

   In environments where the RDNSS information is stored in user space
   and ND runs in the kernel, it is necessary to synchronize the DNS
   Server List of RDNSS addresses in kernel space and the Resolver
   Repository in user space.  For the synchronization, an implementation
   where ND works in the kernel should provide a write operation for
   updating RDNSS information from the kernel to the Resolver
   Repository.  One simple approach is to have a daemon (or a program
   that is called at defined intervals) that keeps monitoring the
   lifetime of RDNSS addresses all the time.  Whenever there is an
   expired entry in the DNS Server List, the daemon can delete the
   corresponding entry from the Resolver Repository.

6.1.  DNS Server List Management

   The kernel or user-space process (depending on where RAs are
   processed) should maintain a data structure called a DNS Server List
   which keeps the list of RDNSS addresses.  Each entry in the DNS
   Server List consists of an RDNSS address and Expiration-time as
   follows:

   o  RDNSS address: IPv6 address of the Recursive DNS Server, which is
      available for recursive DNS resolution service in the network
      advertising the RDNSS option; such a network is called site in
      this document.

   o  Expiration-time: The time when this entry becomes invalid.
      Expiration-time is set to the value of the Lifetime field of the
      RDNSS option plus the current system time.  Whenever a new RDNSS
      option with the same address is received, this field is updated to
      have a new expiration time.  When Expiration-time becomes less
      than the current system time, this entry is regarded as expired.

   Note:  An RDNSS address MUST be used only as long as both the RA
      router lifetime and the RDNSS option lifetime have not expired.
      The reason is that the RDNSS may not be currently reachable or may
      not provide service to the host's current address (e.g., due to
      network ingress filtering [16][17]).
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6.2.  Synchronization between DNS Server List and Resolver Repository

   When an IPv6 host receives the information of multiple RDNSS
   addresses within a site through an RA message with RDNSS option(s),
   it stores the RDNSS addresses (in order) into both the DNS Server
   List and the Resolver Repository.  The processing of the RDNSS
   option(s) included in an RA message is as follows:

      Step (a): Receive and parse the RDNSS option(s).  For the RDNSS
      addresses in each RDNSS option, perform Step (b) through Step (d).
      Note that Step (e) is performed whenever an entry expires in the
      DNS Server List.

      Step (b): For each RDNSS address, check the following: If the
      RDNSS address already exists in the DNS Server List and the RDNSS
      option's Lifetime field is set to zero, delete the corresponding
      RDNSS entry from both the DNS Server List and the Resolver
      Repository in order to prevent the RDNSS address from being used
      any more for certain reasons in network management, e.g., the
      breakdown of the RDNSS or a renumbering situation.  The processing
      of this RDNSS address is finished here.  Otherwise, go to Step
      (c).

      Step (c): For each RDNSS address, if it already exists in the DNS
      Server List, then just update the value of the Expiration-time
      field according to the procedure specified in the second bullet of
      Section 6.1.  Otherwise, go to Step (d).

      Step (d): For each RDNSS address, if it does not exist in the DNS
      Server List, register the RDNSS address and lifetime with the DNS
      Server List and then insert the RDNSS address in front of the
      Resolver Repository.  In the case where the data structure for the
      DNS Server List is full of RDNSS entries, delete from the DNS
      Server List the entry with the shortest expiration time (i.e., the
      entry that will expire first).  The corresponding RDNSS address is
      also deleted from the Resolver Repository.  In the order in the
      RDNSS option, position the newly added RDNSS addresses in front of
      the Resolver Repository so that the new RDNSS addresses may be
      preferred according to their order in the RDNSS option for the DNS
      name resolution.  The processing of these RDNSS addresses is
      finished here.  Note that, in the case where there are several
      routers advertising RDNSS option(s) in a subnet, the RDNSSes that
      have been announced recently are preferred.

      Step (e): Delete each expired entry from the DNS Server List, and
      delete the RDNSS address corresponding to the entry from the
      Resolver Repository.
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7.  Security Considerations

   The security of the RA option for RDNSS might be worse than ND
   protocol security [2].  However, any new vulnerability in this RA
   option is not known yet.  In this context, it can be claimed that the
   vulnerability of ND is not worse and is a subset of the attacks that
   any node attached to a LAN can do independently of ND.  A malicious
   node on a LAN can promiscuously receive packets for any router's MAC
   address and send packets with the router's MAC address as the source
   MAC address in the L2 header.  As a result, L2 switches send packets
   addressed to the router to the malicious node.  Also, this attack can
   send redirects that tell the hosts to send their traffic somewhere
   else.  The malicious node can send unsolicited RA or Neighbor
   Advertisement (NA) replies, answer RS or Neighbor Solicitation (NS)
   requests, etc.  Also, an attacker could configure a host to send out
   an RA with a fraudulent RDNSS address, which is presumably an easier
   avenue of attack than becoming a rogue router and having to process
   all traffic for the subnet.  It is necessary to disable the RA RDNSS
   option in both routers and clients administratively to avoid this
   problem.  All of this can be done independently of implementing ND.
   Therefore, it can be claimed that the RA option for RDNSS has
   vulnerabilities similar to those existing in current mechanisms.

   If the Secure Neighbor Discovery (SEND) protocol is used as a
   security mechanism for ND, all the ND options including the RDNSS
   option are automatically included in the signatures [11], so the
   RDNSS transport is integrity-protected.  However, since any valid
   SEND node can still insert RDNSS options, SEND cannot verify who is
   or is not authorized to send the options.

8.  IANA Considerations

   The IANA has assigned a new IPv6 Neighbor Discovery Option type for
   the RDNSS option defined in this document.

                 Option Name               Type
                 RDNSS option              25

   The IANA registry for these options is:

       http://www.iana.org/assignments/icmpv6-parameters
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